Paypal and Lenovo have just joined Google and others in developing the “post-password” era which will look at modern alternatives to the age old text based password. I wanted to give my thoughts into passwords, the problems and what potential resolutions there are in the future.
For any website with a login, you require at least 2 pieces of information:
The username can be hard enough to remember as many websites have their own unique take on what is or isn’t allowed. An email address? An 8 digit username? 15 digit?
If usernames weren’t hard enough to remember, the password field adds another layer of complexity due to the following reasons:
1) Websites have different requirements on what is an acceptable password
2) You should never use the same password for more than one website (if one gets hacked, your entire digital world could be at risk)
3) A password isn’t enough because:
Nope, even with a username and a unique complex password, this isn’t enough. Google, Microsoft, Facebook and all the major banks now add the ability for two-factor authentication. This is compulsory for banks, though an optional extra for your social media and email sites. This usually takes advantage of a secondary password, and having to remember certain digits within it. I.E “What is the 1st, 3rd and 5th digit of your secret word?”. Alternatively, you may use your mobile phone for verification, an RSA ID tag or a little card reader that generates something called a “one-time password” in order to login.
That got a little technical, but going back to basics we can see that it’s a difficult process to login to a website, never mind logging into 10 different sites. This means we have some shocking statistics including:
64% of end users report that they have written down their password at least once
Study: Rainbow Technologies Password Survey: 64 Percent Write Passwords Down Compromising Corporate Data – April 28 2003
70% of people do not use a unique password for each Web site
Study: Attitudes and Behavior Towards Password Use on the World Wide Web – October 11 2000
A quarter of Brits forget their online passwords on a regular basis
Study: Microsoft UK Password Survey – November 2 2004
The Microsoft one is the most interesting for me personally. 25% of people on a “regular” basis have to reset their online password. I must have logins for over 100 various online websites, so that means I’d regularly have to reset my password for around 25 of those. What’s more concerning, is I can fully relate to that!
What Paypal & Google Plan to Do:
-Password Protected USB Sticks
-Embedded Hardware Modules
These are the main contenders for the post-password era. Biometrics is an idealists view on digital identification. The best way to login to a site is to prove it’s us based on biological identifiers. In a basic form, this could be a fingerprint scan, though these can be quite easy to replicate for people who do want to gain access. Alternatively, facial scanners are available with the obvious flaws (putting a picture up of the person you’re immitating?), and eye scanners which are intrusive, expensive and uncomfortable.
Alternatively, password protected USB sticks are limited as my phone, nor tablet, have USB ports. Hardware embedding has the obvious problem of losing the device, which leaves us with the final option “Other”.
Google has been toying around with the idea of a ring containing a small NFC (Near-Field Communication) chip which, if present, will allow the user to instantly prove it’s the correct owner of the account. Losing the ring is the obvious concern, and adding other authentication methods on top of this means the process is more complex than systems today.
Summary & Thoughts:
There’s a lot of talk about the “post-password” era, and authentication is certainly a technical and complex problem to solve. In reality, there is no developed solution to this [INSERT BUSINESS IDEA HERE]. The best possible solution to this would be a master login to your entire digital world, which uses some form of two-factor authentication with your phone or something similar. Most websites are starting to integrate single sign on with Facebook which is certainly reducing the need for so many, but it’s still not an ultimate solution.
Will we see the end of the 8 digit password (With an upper case letter and number)? N0chanc3
As a final tip, don’t write passwords down on paper (or anywhere), use a different password for every site, and use some sort of application such as LastPass to store/remember them all which is a secure password database.
Tweet me @thejsug !